EL839723593US 



SUN-P7015 



C 



Begin 



) 



y 


f 


Web Browser Accesses Web Site That Uses A 


Cookie 




105 


} 





100 




110 



Browser Generates Cookie With 
Web Server URL And Web 
Server-Provided User Data 





FIG. 1A 



120 




Cookie 



Server ID (URL) 

Data (May Be Authenticated Or Sealed) 
-E.g. Session Number 



FIG. 1B- Prior Art 



EL839723593US 



SUN-P7015 



C 



Begin 



) 





f 


User Visits Service Provider Web Site 




r 


Service Provider Web Site Authenticates User 
Based On A Static Username And Password 




r 210 




Yes 



Provide Service 



200 




205 




215 



Refuse Service 



220 




c 



End 



3 



FIG. 2 -Prior Art 



EL839723593US 



SUN-P7015 



c 



Begin 



1 




Purchaser Writes A Check To Pay For Goods Or 
Services 




r 


Vendor Requires Credentials That Will Be Appropriate 
For The Method Of User Authentication Needed To 
Accept Payment (e.g. Drivers License, ATM Card) 




f 


Purchaser Provides Required Forms Of User 
Authentication 


} 


f 


Vendor Verifies Authenticity, Truthfulness Of Credentials 


1 


, 320 




300 




305 




310 



315 




325 




Reject Transaction 



Yes 



330 



Complete The Sale 



c 



End 



5 



FIG. 3 - Prior Art 



EL839723593US 



SUN-P7015 



400 



Userl 



405 



User 2 



410 



User 3 



415 



User 4 



420 



X 



User 5 



UserX 



435 



X 




Service 
Provider 1 
Web Server 



440 



Service 
Provider 2 
Web Server 



445 



Service 
Provider 3 
Web Server 



450 



Service 
Provider 4 
Web Server 



455 



x 



Service 
Provider 5 
Web Server 



Service 
Provider N 
Web Server 



425 



460 



465 



X 



Customer 
. Database ^ 

470 

x 

— Customer 
Jjatabasjj , 

475 

x 

— Customer 
Jjatabase ^ 

480 



x 



Customer 
)atabase^ 



490 

v 

Customer 
JDatabase ^ 

495 



x 



■ Customer 
JDatabase^ 



FIG. 4 -Prior Art 



EL839723593US 



SUN 



500 



Via Embedded URL 
Using A Service 
Provider-Created 
HTML Form 




FIG. 5 -Prior Art 



EL839723593US 



SUN-P7015 



600 



XT 



Userl 



605 



XT 



User 2 



610 



User 3 



615 



XT 



User 4 



620 



XJ 



User 5 



625 



XT 



UserX 



635 



Global Authenticator 




Service 
Provider 1 
Web Server 



Service 
Provider 2 
Web Server 



640 

v 



Customer 

Data 
Generator 



Global 
Customer 
^ Da tabase^ 



Global 
Authentication 
Database,^ 



Service 
Provider 3 
Web Server 



645 

V 



675 




650 



vice A/ 
ider4 / 



Service 
Provider 
Web Server 



655 



Service 
Provider 5 
Web Server 



V 



Service 
Provider N 
Web Server 



660 

V 



FIG. 6 - Prior Art 



EL839723593US 



SUN-P7015 



700 




710 



Dynamic 
Credential Data 
\ Authentication 

\ Dynamic 
\ Credential 
\ \ Authentication 
\ 



f Credential 720 
Request 
With 740 

Parameters, ^^^{T) \ Response 
Data And Dynamic \ \ 
Supporting Credential DatV \ 
Credentials Authentication N 
Request 

Request For 
Service + 
Credential(s), 
Parameters & Data 



745 



Can Make A More 
Refined [Localized] 
Credential Based 
On A More Generic 
redential 

715 



Service 



Note: Any Given ErffltylWay Assume A 
Role As A Customer, Service Provider Or 
Authority, Depending On The 
Circumstances 

Note: Each Step In The The Sequence 
May Be Separated In Time, And May 
Include Varied Computing Environments 




Assesses 
Credentials 



One Particular Type Of 
Service: Providing A 
Credential 



FIG. 7 



EL839723593US 



SUN-P7015 




FIG. 8 



EL839723593US SUN-P7015 




Data 

Authentication 
Mechanism 



Credential ID 



Credential 
Cryptogram 



Credential Authority 
Peer Group ID 



Credential 
Parameters 



Credential Data 



Sealed (Encrypted) 
Credential Data 



Nested Credentials 



FIG. 9A 




May Be Returned As 
-A Representation Of 
Full Credential 



May Be Stored 
Separately 



905 



945 



Data 

Authentication 
Mechanism 

955 
960 



965 



Used As: 
-XML Entity 
-Serialized Data 

-Fields In HTTP Request Header 970 




Credential 
Cryptogram 



Credential Authority 
Peer Group ID 



Credential 
Parameters 



Credential Data 



Sealed (Encrypted) 
Credential Data 



Nested Credentials 



Used As An ID, Computed 
f As Authenticator 

Entity That Signed The 
/Credential 



User Authentication Options 

Data Authentication Options 

Data Formats 

Sealing Options 

QOS ID - Maintained By 

Credential Authority 

Unsealed Data Is Used In 
Data Authentication, Or Is 
Authenticated Separately 

Only Cryptograms Need To 
Be Authenticated To 
Perform Secure Nesting 



FIG. 9B 



EL839723593US 



SUN-P7015 



C 



Generate Credential 
(Enrollment Process) 



) 



1000 



1005 



1025 



1030 



1 


F 


Receive Request Including One Or More 
Credentials 




F 


^ Process Credentials 




1010 J 


F 



1015 




Create New Creder 


itial As Requested 


i 


r 


Return New Cre 


dential To User 



Register Failure 




F 


Apply Fail 


ure Policy 



1020 



c 



End 



3 



FIG. 10 



EL839723593US 



SUN-P7015 




FIG. 11 



EL839723593US SUN-P7015 



(Apply Credential Evaluation 
Policies J 

1205 




Determine Whether The Credential Data Is Valid 



1235 




FIG. 12 



EL839723593US 



SUN-P7015 



C 



Assess Credential Data 



1300 




) 



1305 








Determine Whether The Type Of Credential Data 
Presented Is Sufficient For The Request Made 






Determine Whether The Credential Data 
Presented Matches The Request 


1310 1 





1330 



1315 





No 



Determine Quality Of Service (QoS) Of The 
Credential Being Created 



1320 




End 



End With Failure 




1325 



FIG. 13 



EL839723593US 



SUN-P7015 




EL839723593US 



SUN-P7015 



User 



Server 



C 



Use Credential To Obtain 
Services 



1500 



c 



Use Credential To Obtain 
Services 



Visit W 


eb Site 




t 




Present Credential^) 



1545 
1505 / 

/ / 

/ Service Reques 



1540 



Service Request 
+ Credential(s) 



5 



Receive Service Request And 
Credential(s) 



1550 



Process Credentials 



1565 



1560 



Service 
g Denial 



1555 



Deny Service 



1515 



1510 




Service 



No 

rSuccess?> > 



Fail 



c 





Yes 




Use Service 






f 





1530 




^Success?] 



Yes 



Provide Service 

1570 



1520 



End 



X 



End With Failure 



X 



End 



1535 



1525 



1575 



FIG. 15 



EL839723593US 



SUN-P7015 



Payment 
Authority 1 



Multiple IDs Available For User 

For Different Purposes / 1 602 



ID1 + 

Datal 



1604 1624 



1600 



X 



User 




1622 



Golfer 



ID2 + 
Data2 



1606 1626 



Military 



ID3 + 
Data3 



1608 1628 



Medical 
Patient 



ID4 + 
Data4 



1610 1630 



Student 



ID5 + 
Data5 



1612 1632 



Investor 



ID6 + 
Data6 



1614 1634 



Employee 



ID7 + 
Data7 



1616 1636 



Alumnus 



ID8 + 
Data8 



1618 1638 



Payment 
Authority 2 



ID9 + 
Data9 



1620 1640 



Automobile 
Driver 



ID10 + 
Datal 0 



FIG. 16 



EL839723593US 



SUN-P7015 



Authority 



1700 




User 



1704 
1706 
1708 
1710 
1712 

1714 



1716 



1718 



1720 



1720 



1702 



Secure User Data Storage 



User Data 1 



User Data 2 



User Data 3 



User Data 4 



User Data 5 



User Data 6 



User Data 7 



User Data 8 



User Data 9 



User Data 10 



1722 




Payment 1 



Golfers 
Assn. 



1724 



Military 



1726 



Medical 
Plan 



University 



Brokerage 
Firm 



Employer 



Alumni 
Assn. 



Payment 2 



Automobile 
Assn. 



1728 




1730 



1732 



1734 



1736 



1738 



1740 



FIG. 17 



EL839723593US 



SUN-P7015 



Generate 
Profile 



Web Site 
Service 



Smart 
Services 

Visits 

1844 



1830 



o 




Hi 


/- 


L:j 

jjgss: 


1806 


I H.J 


f 

1838 







Generate 
User Data 



Vendor 



^ Shops 



1822 



1800 
1846 \ 



User 



A 

1824 



1868 _ 



Web Site 
Service 



Smart *\ 
Services ^832 



Secure User 
Data Storage 1 



Checks 
Credit 



1834 
Enrolls 



Payment 
Agent 1 

Authorizes 

X 1810 1826 
1836 



1840 

X 

Ships 



Fulfillment 
Co. 



1814 



1828 ^ 



Shipping 
Agent 



K 

1802 



Delivers 



1818 



1842 



Generate 
Profile 



Smart 
Services 



Visits 

1866 



1852 



A 

1804 ; 



Secure User 
Data Storage 2 



Delivers 



Shops^ 



Generate 
User Data 



Smai 



7^omart 



Vendor 



1854 Services 

Checks 
Enrolls Credlt 



1856 



Payment 
Agent 2 



1848 



Authorizes 



1812 /V 
1858 



1808 



1860 



1816 



Fulfillment 
Co. 



1850 



1862 

@ 
Ships 



Shipping 
Agent 



1864 



1820 



FIG. 18 



EL839723593U3 



SUN-P7015 



C 



Begin 



) 



1900 



1 


r 


User Receives User-Controlled Secure Storage 
Device 


1905 -S 

^^-^/Enrol 


^ 

e ibw 

IWithV No 





Service 
avide 



Yes 



1910 



Store User Data On User-Controlled Secure 
Storage Device 



1915 



1920 




No 



Use User Data Stored On User-Controlled 
Secure Storage Device To Obtain Services 



1925 




Yes 



1930 





No 




r 


Discard User Data 


} 


f 



c 



End 



FIG. 19 



) 



EL839723593US 



SUN-P7015 



c 



User 

Use User Data To Obtain 
Services 



Server 

Use User Data To Obtain 
Services 



2000 



Visit W 


eb Site 




r 



2005 



2035 



Present User Data 




Service Request + 
User Data 



) 



2030 



2055 



2050 



2040 



1 


f 


Receive Service Request And 
User Data 


1 


r 


Process User Data 




r 2045 



Service 
.Denial 



Deny Service 



2065 



2010 




Service 



Fail 



Yes 



Use Service 



c 




Jl2— ^Success?} 



Yes 



Provide Service 




2060 



2015 



2020 



End 



X 



End With Failure 



2025 



2075 



X 



End 



2070 



FIG. 20 



EL839723593US 



SUN-P7015 



2100 



2105 



C 



Provide Service In Accordance 
With User Data 



1 




Receive User Data 




r 


Customize Web Site Based On User Data 


1 





c 



End 



) 



FIG. 21 



EL839723593US 



SUN-P7015 



^ Provic 



Provide Service In Accordance 
With User Data 



2200 



5 



Vendor Performs Payment Authorization Using Payment 
Data From User-Controlled Secure User Data Storage 



2205 



Vendor Creates A Fulfillment Record That Includes Order 
Information And The Shipping Information From The User- 
Controlled Secure User Data Storage 



2210 



Vendor Sends Fulfillment Record To Fulfillment Company 



2215 



Fulfillment Company Fulfills Order Using Shipping 
Information From Fulfillment Record 



2220 



Fulfillment Company Transfers Package To Shipping Agent 



2225 



Shipping Agent Delivers Package To Address In Shipping 

Information From User-Controlled Secure User Data 
Storage 



C 



End 



FIG. 22 



EL839723593US 



SUN-P7015 



(Vendor Performs Payment Authorization Using Payment \ 
Data From Secure User Data Storage / 



1 


f 


Vendor Sends Payment Request To Payment Clearing 
Agent Using The Payment Data From The Secure User 
Data Storage, including The Amount To Be Charged in 
The Request 




r 


Payment Clearing Agent Receives Payment Request And 
Amount To Be Charged 




F 


Payment Clearing Agent Sends Response (e.g. 
Transaction ID And Amount Charged) 




r 



2300 




2305 




2310 




c 



End 



) 



FIG. 23 



EL839723593US 



SUN-P7015 



Authority 



2400 



User 



2404 



2406 



2408 



2410 



2412 



2414 



2416 



2418 



2420 



2420 



2402 



Secure User Data Storage 



Service Credential 1 



Service Credential 2 



Service Credential 3 



Service Credential 4 



Service Credential 5 



Service Credential 6 



Service Credential 7 



Service Credential 8 



Service Credential 9 



Service Credential 
U 




Payment 1 



Golfers 
Assn. 



2422 



2424 



2426 



Military 



Medical 
Plan 



2428 
2430 



University 




Brokerage 
Firm 



Employer 



Alumni 
Assn. 



Payment 2 



Automobile 
Assn. 



2432 



2434 



2436 



2438 



2440 



FIG. 24 



EL839723593US 



SUN-P7015 



U 



Generate 
Profile 



Web Site 
Service 



Smart 
Services 



Visits 

2544 



2530 

Generate 
Service 
Credential Shops 



2522 



2500 

_ 2546 \ 



User 



/I 

2524 



2568 



Web Site 
Service 




Delivers 



2540 

% 

Ships 



2528 ^ 



Shipping 
Agent 



2518 



2542 



Generate 
Profile 



Smart 
Services 

Visits 

2566 



2552 

Generate 
Service 



2504 



Delivers 



Secure Service 






Credential 




Vendor 


Storage 2 





Smart 
2554Services 

2556\T~ 
Checks 



Enrolls 



Credit 



Payment 
Agent 2 



2548 



\ Aut g i2es 

2512 /V 
2558 



K 

2508 



2560 



Fulfillment 
Co. 



2516 



^ 2550 



2562 

© 
Ships 



Shipping 
Agent 



2564 



2520 



FIG. 25 



EL839723593US 



SUN-P7015 




FIG. 26 



EL839723593US 



SUN-P7015 



2702 



2704 
2706 
2708 
2710 
2712 
2714 



Logon 
Credential 



Credential Cryptogram 1 



Credential Authority Peer 
Group ID 



Credential Parameters = 

Type=Logon, Profile; 
QoS= user name.password, 

Pynir VSi ni..»AN.2002 



Credential Data = Customer 
Profile [bit-Map] 



Sealed Credential Data = Null 



Nested Credentials 




Credential Cryptogram 2 



Credential Authority 
Peer Group ID = 
Credit Card 1 ■ 



Credential Parameters = 
Type=Payment,Credit 
Card 



Credential 
Data=Purchase Class 
Approved For 



Sealed Credential Data = 
Payment Acct. No., 
Credit Limit 



Nested Credentials = 
Null 



Credential Cryptogram 3 



Credential Authority 
Peer Group ID = 
Shipping Agent 1 



Credential Parameters • 
Type=shipping 



Credential Data = 
Location=xyz,service=ov 
ernight 



Sealed Credential Data : 
Shipping Agent Acct. 
No., Shipping Address 



Nested Credentials = 
Null 



2716 



Payment 
Credential 



2718 



v Shipping Agent 
* Credential 



FIG. 27 



EL839723593US 



SUN-P7015 



2800 



2810 



C 



Begin 



) 







Receive Secure Service Credential Storage 
Device (e.g. Java Card™ With Applet) 


2805 , 

^sv^ Tim 


< 1 

r 

eTo\No 





Yes 



Hi 



Generate Service Credential (Enrollment 
Process) 



Store Service Credential Cryptogram & Credential Authority 

Peer Group ID (in Secure User Data Storage Or Store In 
Locker & Store Key To Locker On Secure User Data Storage) 



2825 




Uses ^ No 
Credential?. 



Use Service Credential To Obtain Services 



2830 




2815 



s Credential Yes _^ | JJ2 l| ^J5«_>, 



Discard Service Credential 




Update Service 
Credential 



2840 



c 



End 



3 



2835 



2845 



FIG. 28A 



EL839723592US 



SUN-P7015 



User 



Jse Service Credential Stored Of 

User-Controlled Secure User 
)ata Storage To Obtain Service^ 



Server 

Jse Service Credential Stored 

User-Controlled Secure User 
)ata Storage To Obtain Service: 



1 




Visit Web Site 




r 


Present Servi 


ce Credential 



Service Request + 
Service Credential 



ley 



Receive Service Request And 
Service Credential 



J 

Process Service Credential 




FIG. 28B 



EL839723593US 



SUN-P7015 



2900 



2905 



2910 



2915 



2920 



2925 



C 



Provide Service 



3 




Vendor Performs Payment Authorization Using Nested 
Payment Credential Extracted From Service Credential 
Specific To What Is Being Bought 




Vendor Creates A Fulfillment Message That Includes Order 
Information And The Shipping Credential Extracted From 
The Customer Profile Credential 




Vendor Sends Fulfillment Message To Fulfillment Company 




Fulfillment Company Fulfills Order Using Nested Shipping 
Credential Extracted From Fulfillment Message 




Fulfillment Company Transfers Package To Shipping Agent 




Shipping Agent Delivers Package To Address Encrypted In 
Sealed Part Of Credential 



C 



End 



3 



FIG. 29 



EL839723593US 



SUN-P7015 



3000 



5.3 



3005 



3010 



'Vendor Performs Payment Authorization Using Nested X 
Payment Credential Extracted From Service Credential ) 








r 


Vendor Sends Payment Request To Payment Clearing 
Agent Using The Nested Payment Credential From The 
Service Credential, Including The Amount To Be Charged 
In The Request 




f 


Payment Clearing Agent Decrypts Sealed Part Of Nested 
Credential 




f 


Payment Clearing Agent Sends Response (e.g. 
Transaction ID And Amount Charged) 


r 

1 





( 



End 



) 



FIG. 30A 



EL839723593US 



SUN- 



Authority 



User 



3050 



Smart Card 



User Data 1 



User Data 2 



User Data 3 



User Data 4 



User Data 5 



User Data 6 



User Data 7 



User Data 8 



User Data 9 



User Data 10 




Payment 1 



Golfers 
Assn. 



Military 



Medical 
Plan 



University 



Brokerage 
Firm 



Employer 



Alumni 
Assn. 



Payment 2 



Automobile 
Assn. 



FIG. 30B 



EL839723593US 



SUN-P7015 



Generate 
Profile 



Web Site 
Service 



Smart 
Services 

Visits 

3144 



3130 



Generate 
User Data 



A 

3106 



Vendor 



3138 



jShops 



3122 



3100 



3146 



User 



A 

3124 



3168 ^ 

^-(22) 



Web Site 
Service 



Smart 
Card 



Smart ^\ 
Services3<|32 



„ , 3134 
Checks 

Credit Enrolls 



Payment 
Agent 1 
Authorize.-^ 

X 3110 3126 
3136 



3140 

I 

Ships 



Fulfillment 
Co. 



3114 



Shipping 
Agent 



3102 



Delivers 



3118 



3142 



A 

3104 ' 



Generate 
Profile 



Smart 
Services 



Visits 

3166 



3152 



Smart 
Card 2 



Delivers 



Shops^ 



Generate 
User Data 



Vendor 



Smart 
3154 Services 

Checks 
Enrolls Credit 



3156 



Payment 
Agent 2 



"TT Authorizes 



3148 3112 /V 
3158 



3116 



K 

3108 



3160 



Fulfillment 
Co. 



^ 3150 



3162 

4 

Ships 



3164 3120 



Shipping 
Agent 



FIG. 31 



EL839723593US 



SUN-P7015 




35 



3248 



3249 



I/O Port 



Microprocessor 



VM Processor 



ROM 
3252 



K 

3242 

3246 



Installation 
Tool 



EEPROM 



\ 



3240 



RAM 



3254 



Smart Card 



3250 



FIG. 32 



EL839723593US 



SUN-P7015 




FIG. 33A 



EL839723593US 



SUN-P7015 



Authority 



User 



3340 

3342 
3344 
3346 
3348 

3350 



3352 



3354 



3356 



3358 



2402 



Secure User Data Storage 



Service Credential 



Cookie 



Service Credential 



Data Format A 



Text File 



Cookie 



Data Format B 



Text File 



Service Credential 



Service Credential 




Payment 1 



Golfers 
Assn. 



Military 



Medical 
Plan 



University 



Brokerage 
Firm 



Employer 



Alumni 
Assn. 



Payment 2 



Automobile 
Assn. 



FIG. 33B 



EL839723593US 



SUN-P7015 



3405 
3410 



s - 



3400 





Identification Server 
ID/Peer ID 



Identification 
Randomized ID 



FIG. 34 



EL839723593US 



SUN-P7015 



E.g. Service Providers, 
Credential Authorities 
Shipping Agent, Payment 
Co., Order Fulfillment Co. 




Service Portal 
(front End To Web, 

Where Web 
Experience Begins) 



\ , 3500 



Client Host 



3530 3535 




FIG. 35 



EL839723593US 



SUN-P7015 



3600 




3610 



3615 



3620 



3635 





Yes 

r 


Present Randomized Identifier To Service Portal 






Service Portal Sends A User Authentication 
Request To Identity Server Federation That 
Contains The Randomized Identifier 


} 


* 


All Servers In Identity Server Peer Group Search 
For A Match 


3625 } 


f 




Present Matching Entry Or Entries From 
Identity Server Federation To User 
Authentication Server Federation To 
Determine Single Valid User Data Entry 



3630 



Indicate No Match 



C 



End 



FIG. 36 



EL839723593US 



SUN-P7015 



3700 



3705 



3710 



3720 



3730 



C 



Begin 



3715 




No 



TslDStilN Yes 
Valid? 




Receive New Randomized ID 



Enroll For 


A Service 


i 


f 


Receive Rar 


idomized ID 




«— ■ — 

r 


Store Ranc 


Jomized ID 





Yes 




f 


Use Randomized ID To Obtain Services 


3725 } 


f 



FIG. 37 



EL839723593US 



SUN-P7015 



Internet 



3810 



3820 



3815 



Federated 
Identity 
Servers 



DataXUser 
Authentication 
Mechani 
QOS Indical 



3800 



Enrollment 




Federated 
User 
Authentication 
Servers 





User Identity 
Credential 



Service Request - Server 
Group ID + User Identity 
Credential 



Logon Credential 



Service Portal 
(front End To 
Web, Where 

Web 
Experience 
Begins) 



3805 



Cell 
Phone 



FIG. 38 



EL839723593US 



SUN-P7015 



Credential Use 
Chain 



c 



Begin 



3 



3910 



81 

o £ 

li 

g o 
z 2 



3900 



Receive User Data 
And Credentials 



User identity 


/ Credential 


Logon 
Process 

y 


r 


Log-On C 


;redentiai 



Service 
Request 



3915 



3905 



3925 




E.g. Stored On Hard Disk Or 
Personal Device, E.g. As Cookie. 
Required Parameters: 
User Data Access Credentials For 
Nested User Data Credentials 



Stored As "Session ID Cookie" On Client 
Host 

-Expiration= M Some Time Soon" 
-Client Host="Some IP Address" 

(Client Fixed To Logon Credential) 
(i.e.limited In Time And Place) 



Stored As Server- 
Specific Session ID 
Credential E.g. As 
Cookies On Client Host 
3935 



Get Fulfillment 


Yes 

M < 


Credential 


Consumption 
Request 










3920 


Consume Fulfillment 
Credential 





Immediate 
fulfillment?, 



No 


Rights Key Credential 


> ► 


3940 





No 



3939 



3945 





>4^< 
3950 








3955 




3960 


Store Rights Key 


Credential On Host/ 


Personal Device 



Use 
.ocker ?> 



Yes 



Store Rights Key 
Credential In Locker 



Locker Access 
Credential 



i 



Store Locker Access 
Credential On Host/ 
Personal Device 



FIG. 39 



EL839723593US 



SUN-P7015 



4005 



Hi 



Address Peer Group 



Credential/ 
Identification 
Server 1 




4020 



Email Address Book Peer 
Group 



Credential/ 
Identification 
Server 4 



User 
Identification 
^ DataD ^ 



4030 

X 



Service 
Provider 



Authenticate Only Part Of 
The Data 



Income Statement Peer 
Group 



Credential/ 
Identification 
Server 2 




Payment Peer Group 



Credential/ 
Identification 
Server 3 





_4015 

Music Credential Peer 
Group , 



Credential/ 
Identification 
Server 5 




Personal Credential 
Locker Peer Group 



Identification 
Service Peer 
Group 



Credential/ 
Identification 
Server 6 




FIG. 40 



EL839723593US 



SUN-P7015 



"Present Matching Entry Or Entries From 
Identity Server Federation To User 
Authentication Server Federation To 
Determine Single Valid User Data Entry 



4100 



For Each User Authentication Server, Retrieve A 
User Record For The User That Has Been Found 
By The Identification Server 



4105 



Can The 
Required QOS Be^ 
Met By Current User 
Authentication 
Server? 



Request One Or More Other Cooperating 
User Authentication Server Perform Rest 
Of User Authentication (Create User 
Authentication Credential) 





Yes 






Engage With The Client To Obtain Required QOS 


1 




Return User Authentication Credential 


i 


r 



4110 



4115 



4120 



c 



End 



) 



FIG. 41 



EL839723593US 



SUN-P7015 



4200 



Resource Server 



4205 





Resource 1 


IDs Of Rights Key 
Credentials 


Resource 2 


IDs Of Rights Key 
Credentials 


Resource 3 


IDs Of Rights Key 
Credentials 


Resource 4 


IDs Of Rights Key 
Credentials 


■ ■ ■ 


■ ■ ■ 



IDs Of Rights Key 
Credentials That Provide 
Access To A Resource On 
The Server 

-Credential Data Includes 
Cryptographic Keys 



Refer To Owner Of Resource 
FIG. 42A 



: ~3 
.sFV 



4210 4215 4220 




Resource 1 


IDs Of Rights Key 
Credentials 


Cryptographic Delivery 
Protection Mechanism 


Resource 2 


IDs Of Rights Key 
Credentials 


Cryptographic Delivery 
Protection Mechanism 


Resource 3 


IDs Of Rights Key 
Credentials 


Cryptographic Delivery 
Protection Mechanism 


Resource 4 


IDs Of Rights Key 
Credentials 


Cryptographic Delivery 
Protection Mechanism 


■ ■ ■ 


■ ■ ■ 


■ ■ ■ 



FIG. 42B 



EL839723593US 



SUN-P7015 



Resource Peer Group 





4310 



Resource 



4320 



Resource 
Request + 
Rights Key(s) 




4305 



FIG. 43A 4325 




4335 



Resource 




4345 



Resource 
Request + 
Rights Key(s) 
+ Delivery 
Protection 
Mechanis; 




4340 



User Host 



E.g. Encrypted 
Connection To 
A Specific MP3 
Player 



4325 



4330 FIG. 43B 



Rights Key Credential 




Credential Cryptogram 



Credential Authority Peer 
Group ID 



Credential Parameters: 
Type="RightsKey M 



Credential Data = Key 
Data 



Sealed Credential 
Data=Null 



Nested Credentials=NulI 



FIG. 43C 



EL839723592US 



SUN-P7015 



C 



Begin 



) 



} 




Send Resource Server A Resource Request 
Including A "Rights Key" Credential 




* 


Resource Server Matches Key With Identifier In 
Set Of Identifiers Associated With A Resource 


1 


r 4410 




Yes 



Create New ID And Return To User 



Deliver Associated Resource 



4400 




4405 




4415 




4420 




c 



End 



3 



FIG. 44 



EL839723593US SUN-P7015 



c 



Begin 



) 



1 




Send Resource Server A 
Including A First "Rights 
Second "Rights 


Resource Use Request 
► Key" Credential And A 
Key" Credential 


y 


f 


Resource Server Matches Both Keys With 
Identifiers In Set Of Identifiers Associated With A 
Resource 


1 


4510 

r S 



Create New ID And 


Deliver To Its User 


>> 




\ 


Deliver Associated Resource 



4500 




4505 





4515 



4520 




c 



End 



3 



FIG. 45 



EL839723593US 



SUN-P7015 



4600 




4620 



4625 4630 






HTTP://VVV\n/V.SomeResourceSer^rPeerGroup/KindOfResourceDirectory/Any?RightsKeylD=aWa 

FIG. 46A 



HTTP Message 



4605 




Header: 

RightsKey="Rights Key Credential Data" 



Body 



FIG. 46B 



Smart Card 



4610 





4615 



Music Rights Management Applet 



Music Resource 


Rights 


Rights 


Rights 


Rights 


Server ID 


Key 


Key 


Key 


Key 




z 



4620 



E.g. 1 Per Music Title 



FIG. 46C 



EL839723593US 



SUN-P7015 



4630 



National 
Association Of 
I Purveyors Of Books 
(Authority) 



User Profile + 
Collected User Data y 



User Profile + 
Collected User Dats 



4635 



4655 



4660 

Jser Profile Including 
Approximated User 
Data 



4675 




4680 



User Profile including 
Approximated User 
Data 



4640 



Book Vendor 1 
(Service Provider) 



Book Vendor 2 
(Service Provider) 



4665 




User Profile Including 
Approximated Usej/ 
Data 



4685 



User 
Profile 




User Profile Including 
Approximated User 
Data 



4670. 



User Profile Including 
Approximated User 
Data 



4650 



4645 



Customer/User 



FIG. 46D 



EL839723593US 



SUN-P7015 



Dynamic Aggregation 

(From Service 
Provider's Perspective) 



o 



4700 



4705 



4710 



4715 



4720 



c 



Begin 




) 







1 


r 


Service Provider Receives Service Request And 
Associated User Data 




f 


Collect User Profile Information i 




f 


Present User Data And User Profile Information 
To Authority 


\ 


f 


Service Provider Receives Approximated User 
Information From Authority 


} 


r 


s Return Approximated User Information To User 




f 



c 



End 



FIG. 47 



EL839723593US 



SUN-P7015 



Static 
Aggregation 
(From Authority's 
Perspective) 



C 



Begin 



) 



1 


f 


Receive User Data 




f 


Apply Aggregation Policy To Obtain 
Approximated User Information Based On The 
User Data 






Return Approximated User Data To The User 


} 


1 



c 



End 



) 



4800 




4805 




4810 




FIG. 48 



EL839723593US 



SUN-P7015 



4905 



Web Server 





Shared 




Secret 





4i 



Cookie 



Cookie 
Processing Logic 



Reconfigured 
Cookie 



4900 



4915 





4930 



4935 




Computer / 
Terminal 



Cookie 
Request 




Card Reader 



Packet 
Sniffer 



Cookie 
Request 



4945 



4950 




4940 




4925 



Downloaded 
From Trusted 
Source 




Reconfigured 
Cookie 



Smart Card 



Applet 



Shared 
Secret 



5 



Cookie 



Cookie Processing 
Logic 



4955 




4960 



FIG. 49 



EL839723593US 



SUN-P7015 



5000 



5005 




KWeb Server 
. 5010 



5065 



Cookie 
Update 
Logic 



Secret 




Cookie 



Cookie 
Processing Logic 



Reconfigured 
Cookie 



5015 



s .. I 




Other Embodiments: 

1. Attach Timestamp To Cookie & 
Don't Process If Stale 

2. Cookie Management Credential 

3. Non-Managed/Non-Processed 
Cookies Gust Cookies On A Card) 



5030 




Computer / 
Terminal 



_l 



Packet 
Sniffer 




5045 
5040 5050 




5025 



Downloaded From 
Trusted Source 
During Enrollment 
Process 



5035 



Cookie 
Request 




Card Reader 



Cookie 
Request 



Reconfigured 
Cookie 



Smart Card 



Applet 



Cookie 
Update 
Logic 



Cookie 



Cookie Processing 
Logic 

s 



IS 



5055 



5060 



FIG. 50 



t 

EL839723593US 



SUN-P7015 




FIG. 51 



